Month: November 2016
(Or, How business owners can add a second line to their cellphone number)
The New York Times, Nov. 12, 2016
By STEVE LOHR
The next time someone asks you for your cellphone number, you may want to think twice about giving it.
The cellphone number is more than just a bunch of digits. It is increasingly used as a link to private information maintained by all sorts of companies, including money lenders and social networks. It can be used to monitor and predict what you buy, look for online or even watch on television.
It has become “kind of a key into the room of your life and information about you,” said Edward M. Stroz, a former high-tech crime agent for the F.B.I. who is co-president of Stroz Friedberg, a private investigator.
Yet the cellphone number is not a legally regulated piece of information like a Social Security number, which companies are required to keep private. And we are told to hide and protect our Social Security numbers while most of us don’t hesitate when asked to write a cellphone number on a form or share it with someone we barely know.
That is a growing issue for young people, since two sets of digits may well be with them for life: their Social Security number and their cellphone number.
Nearly half of all American households have given up their landlines and have only wireless phone service — a figure that has risen more than 10 percentage points in just three years. Among people ages 25 to 29, the share of homes that have only wireless phone service stands at 73 percent, according to government statistics.
Taylor Gallanter, a 23-year-old hair stylist in San Francisco, has had her cellphone number since she was 15. She has never had a landline and doubts she ever will.
Shivani Siroya, founder of Tala, which uses cellphone data to gauge people’s ability and willingness to repay loans. Photo credit: Christina Gandolfo for The New York Times
She knows how valuable her cellphone number is. She does not provide it on online forms unless it is required. Using her email address as contact information, she said, seems less invasive and risky.
“With just your cellphone number and name, I know they can get all sorts of information about you,” Ms. Gallanter said.
In fact, investigators find that a cellphone number is often even more useful than a Social Security number because it is tied to so many databases and is connected to a device you almost always have with you, said Austin Berglas, a former F.B.I. agent who is senior managing director of K2 Intelligence, a private investigator.
“The point is the cellphone number can be a gateway to all sorts of other information,” said Robert Schoshinski, the assistant director for privacy and identity protection at the Federal Trade Commission. “People should think about it.”
The use of the cellphone number in new, unanticipated ways has echoes in the history of the Social Security number, which was created in 1936. Its original purpose was to enable the nation’s nascent social insurance system to maintain accurate records of workers covered under the program. It was never meant as a general-purpose identification number.
Gradually, the simplicity of using a unique number to identify people encouraged the widespread use by other government agencies and corporations. That took off starting in the 1960s, when mainframe computers made it possible to create huge digital files on citizens and customers.
The spread of the Social Security number as a quick and easy identifier, found in all kinds of corporate and government databases, has smoothed the way for commerce. But there have been unintended consequences.
“That Social Security numbers are so broadly used and often so poorly protected is a major cause of the current epidemic of identity theft,” said Alessandro Acquisti, a computer scientist and privacy expert at Carnegie Mellon University.
The total losses in the United States from stolen identities used in crimes like credit card and loan fraud were $15 billion last year, Javelin, a research and consulting firm, estimated. And 11 percent of American adults say they lost money last year in a telephone swindle, according to a Harris Poll survey sponsored by Truecaller, a Swedish maker of a cellphone app with features like caller ID and spam blocking.
But if a cellphone number and the intimate computer behind it open a door to new risks, technology, as is so often the case, can also be employed to combat those risks.
Take fraud prevention. When shoppers use Affirm, a start-up that offers an alternative to credit cards for online purchases, the company’s software mines many data sources and approves or rejects a loan within a minute or so.
To perform that feat of technical wizardry, Affirm asks borrowers for a few pieces of personal information, including their names and dates of birth.
But the strongest identifier and conduit to useful information is the cellphone number, which acts like “the digital equivalent of the Social Security number,” said Max Levchin, chief executive of Affirm.
When a customer of Affirm wants to get an installment loan to buy, say, an $850 mattress or a $3,000 mountain bike, the company sends the person a temporary personal identification number in a text message.
The same form of authentication is widely used by banks, payment systems like PayPal and other companies before certain transactions are approved. The temporary ID numbers typically remain valid for only 30 seconds to 180 seconds, increasing the odds that the person trying to borrow or buy is indeed the same person who owns the phone with that number.
It’s not foolproof, but if a cellphone is lost or stolen, it is typically locked. It can be hacked into, but that takes a separate set of skills. By contrast, a stolen Social Security number is a permanent pathway to identity theft.
“What you can do with the cellphone number and mobile technology represents a pretty substantial advantage in the ongoing war against fraud and identity theft,” said Rajeev Date, a venture investor and former banker, who was previously deputy director of the Consumer Financial Protection Bureau.
But a cellphone-only life presents problems for many independent professionals and workers at start-ups and small businesses, who make business calls on their personal cellphones. So Ms. Gallanter, a partner in a mobile barbershop in a van, became one of the five million people who have installed the new app Sideline this year to add a second number to their cellphones.
The service is free for individuals and $10 a month a number for groups of workers in a business, who get extra features like a company directory and voice mail transcription. One of Sideline’s ad mottos is: “Keep your personal number private. Add a second number to your smartphone.”
“This gives you a second mobile identity, which more and more people need today,” said Greg Woock, chief executive of Pinger, a start-up in San Jose, Calif., that created the Sideline software and service.
Huffington Post 10/15/2015 03:27 pm ET
by Jason Glassberg, Co-Founder, Casaba Security
The holiday shopping season is just around the corner, but businesses aren’t the only ones that will be profiting from the uptick in consumer spending—cybercriminals will be making plenty of money too.
For cybercriminals, the busy end-of-the-year shopping season is a prime opportunity to steal consumer data, hijack small business bank accounts and extort companies using cyber-attacks. Why? Because many businesses are stretched thin during the hectic November to January period, which means they have less time to check and maintain their IT security, look for incidents of fraud and other malicious activity, and they’re also more willing to pay off a cybercriminal who threatens their business operations during a crucial profit-making period.
Small businesses are particularly at risk during the holidays because they often have less resources available for IT security, as well as less experience dealing with threats. According to the national insurance company, Travelers, 62% of all data breach victims are small- to mid-size businesses.
For this reason, SMBs need to take extra precautions ahead of time to avoid these risks.
Here’s a simple checklist that every small business owner should complete before the holiday rush:
- Update Everything –Make sure every computing product you have, whether it’s a desktop, laptop, server, mobile device, point-of-sale terminal, WiFi router, etc., is fully updated with the latest software and security patches. This will lower the risk of hackers exploiting known security flaws. In particular, businesses should transition to the new EMV, or “smart chip,” point-of-sale devices as soon as possible since the older swipe-based terminals no longer have fraud coverage by the major credit card companies. Also, if you’re still using other end-of-life software or devices, like Windows XP or Windows Server 2003, try to replace them as soon as possible as they are high-risk targets.
- Do a Password Audit –Now’s the time to start asking questions like, do any of your employees have too much access to sensitive networks or data, when was the last time the company reset its passwords, how strong are employees’ individual passwords and what would happen if any single password was compromised by a hacker. Segment the company so that no single employee has too much access to key accounts – that way, if they’re hacked they won’t sink the ship. Make sure every employee has a “password manager” tool (ex: LastPass, Dashlane) loaded on her desktop, laptop, mobile device and point-of-sale terminal. Require passwords to be long and complex (12+ characters, using upper and lower case letters, numbers and special symbols), and changed frequently.
- Scan the Website –Most small business websites today are riddled with basic security flaws. These flaws could allow a hacker to steal information stored on back-end servers, or infect customers who visit the web page. Sign up for a web scanning service (ex: McAfee SECURE, Symantec Safe Site) that will check the site every day for vulnerabilities and malware. Go one step further by signing up for a security information and event management, or SIEM, tool (ex: AlienVault, HP Arcsight) – this will monitor the site for active attacks.
- Isolate Your Online Banking –A special type of malware known as the “banking Trojan” is widespread on the Internet and it’s easy to get infected just by surfing the web and opening emails. Criminals use this malware to takeover small business bank accounts and steal tens of thousands to millions of dollars. Banks don’t always catch the fraudulent activity and they may refuse to reimburse the small business for its losses. The best way to avoid this risk is by having a dedicated computer (desktop or laptop) that is literally used for nothing else except logging into the online bank account. This will greatly reduce your chance of a malware infection. Also, sign up for extra security features offered by your bank, such as two-factor authentication, email alerts and fraud monitoring.
- Anticipate Extortion Attacks –Cyber extortion incidents are growing rapidly across the US, and SMBs are a prime target. Two of the most common attacks, especially during the holiday season, are distributed denial-of-service (DDoS) and ransomware. In a DDoS attack, hackers will knock the company’s website offline by flooding it with bogus web traffic. They will then demand a fee (usually $5,000+) to stop the attack. The best way to prevent this is by signing up with a DDoS mitigation service (ex: CloudFlare, Incapsula). In the case of ransomware, the company will be infected with a type of malware that locks up all available files (e.g., Word docs, spreadsheets, etc.) using high-grade encryption, thereby rendering them unusable. The hackers will then demand a ransom to unlock the data. The best way to mitigate this attack is a simple one – back-up data regularly. If back-ups are done every day, or at least once per week, the company can simply wipe the hard drive of the infected machine and restore the data – with only a minimal disruption of business operations.
- Lockbox Your Data –Every company will eventually be hacked. Therefore, safeguard your most important data – like customer accounts – by encrypting it, that way, even if a hacker breaks in and steals these files, they won’t be able to use them. There are a wide range of commercially available encryption products that are user-friendly and inexpensive. They include full-disk and file encryption tools, as well as email and cloud encryption.
By following these six simple, inexpensive tips, any business can significantly reduce the damage potential of a hack. Remember, no business can prevent every cyber attack, so focus instead on common sense measures that will protect data and operations even if the worst comes to pass.